-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Provide service accounts tokens to extensions #9618
Conversation
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Compatibility status:Checks if related components are compatible with change 8ca2b87 Incompatible componentsIncompatible components: [https://github.com/opensearch-project/k-nn.git] Skipped componentsCompatible componentsCompatible components: [https://github.com/opensearch-project/security-analytics.git, https://github.com/opensearch-project/security.git, https://github.com/opensearch-project/custom-codecs.git, https://github.com/opensearch-project/opensearch-oci-object-storage.git, https://github.com/opensearch-project/index-management.git, https://github.com/opensearch-project/geospatial.git, https://github.com/opensearch-project/sql.git, https://github.com/opensearch-project/notifications.git, https://github.com/opensearch-project/job-scheduler.git, https://github.com/opensearch-project/observability.git, https://github.com/opensearch-project/neural-search.git, https://github.com/opensearch-project/cross-cluster-replication.git, https://github.com/opensearch-project/alerting.git, https://github.com/opensearch-project/performance-analyzer.git, https://github.com/opensearch-project/anomaly-detection.git, https://github.com/opensearch-project/performance-analyzer-rca.git, https://github.com/opensearch-project/ml-commons.git, https://github.com/opensearch-project/asynchronous-search.git, https://github.com/opensearch-project/common-utils.git, https://github.com/opensearch-project/reporting.git] |
Compatibility status:Checks if related components are compatible with change 3bdc4e4 Incompatible componentsSkipped componentsCompatible components |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just minor cleanup, then should be ready to merge - much smaller change good work @scrawfor99
server/src/main/java/org/opensearch/extensions/ExtensionsManager.java
Outdated
Show resolved
Hide resolved
server/src/main/java/org/opensearch/extensions/ExtensionsManager.java
Outdated
Show resolved
Hide resolved
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Gradle Check (Jenkins) Run Completed with:
|
Gradle Check (Jenkins) Run Completed with:
|
Signed-off-by: Peter Nied <petern@amazon.com>
@scrawfor99 Waiting on CI to complete since merge conflicts were resolved |
Gradle Check (Jenkins) Run Completed with:
|
Gradle Check (Jenkins) Run Completed with:
|
Gradle Check (Jenkins) Run Completed with:
|
Gradle Check (Jenkins) Run Completed with:
|
@peternied should be all set :D |
@scrawfor99 Could you make sure all the flaky test have issues or file new ones, this was a rough go of things |
Will do |
Provide service accounts tokens to extensions This change adds a new transport action which passes the extension a string representation of its service account auth token. This token is created by the TokenManager interface implementation. The token is expected to be an encoded basic auth credential string which can be used by the extension to interact with its own system index. Signed-off-by: Stephen Crawford <steecraw@amazon.com> Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> Signed-off-by: Peter Nied <petern@amazon.com> Co-authored-by: Owais Kazi <owaiskazi19@gmail.com> Co-authored-by: Peter Nied <petern@amazon.com>
Provide service accounts tokens to extensions This change adds a new transport action which passes the extension a string representation of its service account auth token. This token is created by the TokenManager interface implementation. The token is expected to be an encoded basic auth credential string which can be used by the extension to interact with its own system index. Signed-off-by: Stephen Crawford <steecraw@amazon.com> Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> Signed-off-by: Peter Nied <petern@amazon.com> Co-authored-by: Owais Kazi <owaiskazi19@gmail.com> Co-authored-by: Peter Nied <petern@amazon.com> Signed-off-by: Ivan Brusic <ivan.brusic@flocksafety.com>
Provide service accounts tokens to extensions This change adds a new transport action which passes the extension a string representation of its service account auth token. This token is created by the TokenManager interface implementation. The token is expected to be an encoded basic auth credential string which can be used by the extension to interact with its own system index. Signed-off-by: Stephen Crawford <steecraw@amazon.com> Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> Signed-off-by: Peter Nied <petern@amazon.com> Co-authored-by: Owais Kazi <owaiskazi19@gmail.com> Co-authored-by: Peter Nied <petern@amazon.com> (cherry picked from commit 994e115)
Provide service accounts tokens to extensions This change adds a new transport action which passes the extension a string representation of its service account auth token. This token is created by the TokenManager interface implementation. The token is expected to be an encoded basic auth credential string which can be used by the extension to interact with its own system index. Signed-off-by: Stephen Crawford <steecraw@amazon.com> Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> Signed-off-by: Peter Nied <petern@amazon.com> Co-authored-by: Owais Kazi <owaiskazi19@gmail.com> Co-authored-by: Peter Nied <petern@amazon.com>
Provide service accounts tokens to extensions This change adds a new transport action which passes the extension a string representation of its service account auth token. This token is created by the TokenManager interface implementation. The token is expected to be an encoded basic auth credential string which can be used by the extension to interact with its own system index. Signed-off-by: Stephen Crawford <steecraw@amazon.com> Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> Signed-off-by: Peter Nied <petern@amazon.com> Co-authored-by: Owais Kazi <owaiskazi19@gmail.com> Co-authored-by: Peter Nied <petern@amazon.com>
#11052) * Implement on behalf of token passing for extensions (#8679) * Provide service accounts tokens to extensions (#9618) This change adds a new transport action which passes the extension a string representation of its service account auth token. This token is created by the TokenManager interface implementation. The token is expected to be an encoded basic auth credential string which can be used by the extension to interact with its own system index. * Cherry pick #10614 and #10664 Signed-off-by: Stephen Crawford <steecraw@amazon.com> Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> Signed-off-by: Ryan Liang <jiallian@amazon.com> Signed-off-by: Peter Nied <petern@amazon.com> Co-authored-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> Co-authored-by: Peter Nied <peternied@hotmail.com> Co-authored-by: Owais Kazi <owaiskazi19@gmail.com> Co-authored-by: Peter Nied <petern@amazon.com>
Provide service accounts tokens to extensions This change adds a new transport action which passes the extension a string representation of its service account auth token. This token is created by the TokenManager interface implementation. The token is expected to be an encoded basic auth credential string which can be used by the extension to interact with its own system index. Signed-off-by: Stephen Crawford <steecraw@amazon.com> Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> Signed-off-by: Peter Nied <petern@amazon.com> Co-authored-by: Owais Kazi <owaiskazi19@gmail.com> Co-authored-by: Peter Nied <petern@amazon.com> Signed-off-by: Shivansh Arora <hishiv@amazon.com>
Description
This PR implements service account issuance and passing for extensions. This change adds a new transport action which passes the extension a string representation of its service account auth token. This token is created by the TokenManager interface implementation. The token is expected to be an encoded basic auth credential string which can be used by the extension to interact with its own system index.
As part of this change, the ExtensionManager will now take an instance of the IdentityService as part of its construction. This change was made so that the service account token could be generated inside of the class using a call to the token manager. Without passing the IdentityService it was not possible to get the implementation of the TokenManager required to generate the ServiceAccountToken.
Related Issues
Resolves #[Issue number to be closed when this PR is merged]
This issue resolves: opensearch-project/security#3176
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.